Can you configure "SafeHTML"?

Oct 1, 2009 at 7:41 PM

There doesn't appear to be any way to define your own white list.  Or am I missing something?

I see configuration to identify the webcontrols to attach the XSS to at runtime, but I'm not seeing any configuration to define acceptable HTML tags.

Coordinator
Oct 5, 2009 at 4:43 PM

No you cannot configure the list of acceptable HTML tags. This is done for security reasons. Future versions could include a class where you can specify tags to include or exclude from sanitization process.

Thanks
Anil

Nov 12, 2009 at 8:49 PM

I also needed that so I created a regex to fetch all the tags except a list of tags that I wanted to render through GetSafeHtml.
I wrote about it on my blog (swedish), however the code I used looked something like this.

String data = "some text.";

String tags = "div|img|br"; 
String pattern = String.Concat(@"<(?!/?(", tags, @")( .*?|>)).*?>");

MatchCollection mc = Regex.Matches(data, pattern, RegexOptions.IgnoreCase);
foreach (Match match in mc)
{
    data = data.Replace(match.Value, AntiXss.HtmlEncode(match.Value));
}

data = AntiXss.GetSafeHtml(data); 
Coordinator
Nov 16, 2009 at 7:26 PM

Interesting solution. There is a similar type of problem in this discussion http://antixss.codeplex.com/Thread/View.aspx?ThreadId=74660. It uses a different approach of sanitization and encoding.

Thanks

Anil Revuru (INFORMATION SECURITY TOOLS)

From: patrikc [mailto:notifications@codeplex.com]
Sent: Thursday, November 12, 2009 10:16 PM
To: Anil Revuru (INFORMATION SECURITY TOOLS)
Subject: Re: Can you configure "SafeHTML"? [AntiXSS:70740]

From: patrikc

I also needed that so I created a regex to fetch all the tags except a list of tags that I wanted to render through GetSafeHtml.
I wrote about it on my blog (swedish), however the code I used looked something like this.

String data = "some text.";
 
String tags = "div|img|br"; 
String pattern = String.Concat(@"<(?!/?(", tags, @")( .*?|>)).*?>");
 
MatchCollection mc = Regex.Matches(data, pattern, RegexOptions.IgnoreCase);
foreach (Match match in mc)
{
    data = data.Replace(match.Value, AntiXss.HtmlEncode(match.Value));
}
 
data = AntiXss.GetSafeHtml(data); 

Read the full discussion online.

To add a post to this discussion, reply to this email (AntiXSS@discussions.codeplex.com)

To start a new discussion for this project, email AntiXSS@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com